Introduction

In August 2017, we learned of new attacks by a persistent malicious cyber threat actor known by the name of Carbanak aka FIN7 [1]. The most recent attack variants have been targeting mainly chain restaurants, hospitality, and casino industry in the US for financial information/POS/credit card data.

Securonix Threat Research Team has been actively investigating and closely monitoring attacks associated with this high-profile continuously evolving malicious cyber threat actor to help our customers prevent, detect, and mitigate/respond to the attack.

Based on the practical security analysis of this attack we performed in our lab, here is a summary of what we currently know and our recommendations on some possible mitigations and Securonix predictive indicators/security analytics that can be used to detect the current and potential future attack variants by this malicious cyber threat actor.

Some of the capabilities leveraged by this malicious cyber threat actor include custom command and powershell/stager execution, POS monitoring, keylogging, HTTP form grabbing, file transfers, proxying, VMM/sandbox detection, desktop video capture etc. This malicious cyber threat actor has been active for more than a year and has been constantly evolving its capabilities over time;

Observed Artifact Hash Values: There is a large number of attack/artifact variants associated with Carbanak/FIN7 malicious cyber threat actor attacks and new variants appear regularly. Some of the recent artifact values include:

Detection – Sample Spotter Search Queries

(rg_category = “Proxy” OR rg_category = “Firewall” or rg_category = “DNS” ) AND (ipaddress = 198.100.119.6 or ipaddress = 94.140.120.132 or ipaddress=176.101.223.101 or ipaddress=185.86.151.210 or ipaddress=138.201.44.10 or ipaddress=176.101.223.101 or ipaddress=176.101.223.100 or ipaddress=204.155.30.100 or ipaddress=94.140.120.132 or ipaddress=94.140.120.132 or ipaddress=94.140.120.132 or ipaddress=176.101.223.100 or ipaddress=179.43.140.85 or ipaddress=95.215.44.12 or ipaddress=95.215.47.105 or ipaddress=192.99.14.211 or ipaddress=80.84.49.61 or ipaddress=95.215.46.229 or ipaddress=107.181.246.189 or ipaddress=80.84.49.66 or ipaddress=95.215.46.234 or ipaddress=148.251.18.75 or ipaddress=138.201.44.4 or ipaddress=81.17.28.124 or ipaddress=95.215.45.94 or ipaddress=179.43.140.85 or ipaddress=89.163.248.8 or ipaddress=95.215.46.249 or ipaddress=80.83.118.233 or ipaddress = 62.210.25.121 or ipaddress=95.215.46.221 or ipaddress=104.250.138.197 or ipaddress=212.129.36.175 or ipaddress=179.43.133.34 or ipaddress=89.163.248.6 or ipaddress=95.215.44.94)

Detection – Securonix Behavior Analytics/Security Analytics

Here is a high-level summary of some of the relevant Securonix predictive indicators to increase the chances of early detection of this and potentially other future variants of attacks carried out by this malicious cyber threat actor on your network:

Figure 6: Carbanak/FIN7 Attack Scheduled Task Execution

If you have any further questions regarding this high-profile threat and how Securonix can be leveraged to detect the behaviors associated with the threat, please contact the Securonix Threat Research Team at [email protected].

Company

Securonix Security Analytics Platform, Securonix UEBA, Securonix Cloud, Securonix Security Data Lake,
and Securonix Security Applications are trademarks and of Securonix, Inc. in the United States and
other countries. All other brand names, product names, or trademarks belong to their respective
owners. 2019 Securonix, Inc. All rights reserved.